Files in this item



application/pdfUILU-ENG-12-2206.pdf (868kB)
(no description provided)PDF


Title:Adapting Bro into SCADA: Building Specification-based Intrusion Detection System for DNP3 Protocol
Author(s):Lin, Hui; Kalbarczyk, Zbigniew; Iyer, Ravishankar K.
Subject(s):Intrusion detection
Security specification
Critical infrastructure
Abstract:Modern SCADA systems are increasingly adopting Internet technology to control industry processes. With their security vulnerabilities exposed to public networks, an attacker is able to penetrate into these control systems to put remote facilities in danger. To detect such attacks, SCADA systems require an intrusion detection technique that can monitor network traffic based on proprietary network protocols. To achieve this goal, we adapt Bro, a network traffic analyzer widely used for intrusion detection, for use with SCADA systems. A built-in parser in Bro supports DNP3, a network protocol that is widely used in SCADA systems for electrical power grids. By exploiting Bro’s intrusion detection features, we apply a specification-based technique to analyze the parsed traffic. This built-in parser provides high visibility of network events in SCADA systems. Instead of exploiting an attack signature or a statistical normal pattern, SCADA-specific semantics related to each event are analyzed. Such analyses are made in terms of defined security policies which can be included at runtime. Our experiments are carried out in a laboratory-scale SCADA system environment with well-formatted but malicious network traffic. The detection capability and performance of the Bro-adapted intrusion detection system revealed in experiments show its potential applicability in the real SCADA system environment.
Issue Date:2012-07
Publisher:Coordinated Science Laboratory. University of Illinois at Urbana-Champaign.
Series/Report:Coordinated Science Laboratory Report no. UILU-ENG-12-2206
Genre:Technical Report
Sponsor:Department of Energy & Department of Homeland Security/DE-OE0000097
Date Available in IDEALS:2016-07-07

This item appears in the following Collection(s)

Item Statistics